This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

sec:authorize with role hierarchy not working

Oct 29th, 2012, 11:51 PM

I can't get sec:authorize hasRole() to work with the role hierarchy. If I have a user with role ROLE_BOSS which is the parent of ROLE_WORKER, then <sec:authorize access="hasRole('ROLE_WORKER')"> is false for some reason. In my service classes @PreAuthorize("hasRole('ROLE_WORKER')") does work however. I assumed they both used the same evaluator, so why doesn't the taglib work? Thanks for the help.

Very strange and I don't think this is correct, but it seems to work. I started digging through the Spring source code and I think I got it to work by taking the DefaultWebSecurityExpressionHandler out of the accessDecisionManager and placing it at the very top of all my security configurations. So at the top of my -config.xml I have this:

Comment

I have a working webExpressionHandler and methodExpressionHandler, but for the life of me I can't get (HttpServletRequest)request.isUserInRole("ROLE_WOR KER") to return true when I am just a ROLE_BOSS, which should be the parent of ROLE_WORKER. Why is this?

Comment

I have come across the exact same problem yesterday and I am tearing my hair out.

The Role RoleHierarchyVoter works as expected within the intercept urls but when I try and use it through the authorize taglibs the WebExpressionVoter blatantly ignores the roles and simply denies access.